Firmware update method in two-chip solution for secure terminal

ABSTRACT

A firmware update method in a two-chip solution for a secure terminal. The method comprises secure firmware update and application firmware update. The secure firmware update comprises: a secure processor erases a secure firmware storage area ( 201 ), decrypts a first ciphertext in firmware data to obtain a symmetric key ( 202 ), decrypts a second ciphertext in the firmware data with the symmetric key, and writes a decryption result to the secure firmware storage area ( 206 ). The application firmware update comprises: an application processor erases an application firmware storage area ( 301 ), acquires firmware data through the secure processor, decrypts a first ciphertext in the firmware data to obtain a symmetric key ( 302 ), decrypts a second ciphertext in the firmware data with the symmetric key, and writes a decryption result to the application firmware storage area ( 308 ). The method can effectively prevent firmware from being intercepted, copied, tampered, damaged or simulated during the update process of the firmware.

FIELD OF THE INVENTION

The present invention relates to a method for updating a firmware in adouble-chip-schemed security terminal, which belongs to the informationsecurity field.

PRIOR ART

A firmware is a program which is written in EPROM, EEPROM or Flash chip,in other words, a firmware is a solidified software, which is programcode solidified in an integrated circuit. The firmware is in charge ofcontrolling and coordinating the integrated circuit. However, with thedevelopment of technology, it is a strong wish to modify a firmware toadapt for an updating firmware environment. At present, a firmware isusually updated by entering a bootloader program in a chip or aself-programmed bootloader program through an external interface.

In prior art, the firmware which is being updated is sent to a chip in aform of plaintext, and the chip can be accessed through an externalinterface. Thus, the firmware may be intercepted, copied, interpolated,damaged or simulated in the process of updating.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a method for updatingfirmware in a double-chip-schemed security terminal to protect thefirmware from being intercepted, copied, interpolated, damaged orsimulated.

Thus, the present invention provides a method for updating firmware in adouble-chip-schemed security terminal, wherein:

a security terminal checks firmware information which is cached in afirmware buffer, and determines a type of the firmware updated accordingthe firmware information, security firmware is updated in the case thatthe firmware is a security firmware; application firmware is updated inthe case that the firmware is an application firmware;

in which, the security terminal includes a security processor and anapplication processor,

updating a security firmware includes:

Step A1, erasing, by the security processor, a security firmware storagearea, decrypting a first cipher in firmware data cached in the firmwarebuffer to obtain a symmetric key, initializing a firmware-read addressand a firmware-updated destination address;

Step A2, reading, by the security processor, a preset length of datafrom the firmware-read address, decrypting read data according to thesymmetric key to obtain decrypted data, writing the decrypted data inthe firmware-updated destination address, updating the firmware-readaddress and the firmware-updated destination address; and

Step A3, determining, by the security processor, whether there existsunread data, if yes, returning to Step A2; otherwise, the process ofupdating security firmware is finished; and

updating an application firmware includes:

Step B1, erasing, by the application processor, an application firmwarestorage area, sending a reading-firmware-information instruction to thesecurity processor, waiting for firmware information returned from thesecurity processor;

Step B2, decrypting, by the security processor, the first cipher in thefirmware data cached in the firmware buffer to obtain a symmetric keyafter the reading-firmware-information instruction is received by thesecurity processor, initializing the firmware-read address, andreturning the firmware information cached in the firmware buffer to theapplication processor;

Step B3, initializing, by the application processor, thefirmware-updated destination address after the firmware information isreceived by the application process, and executing Step B4;

Step B4, sending, by the application processor, a reading-firmware-datainstruction to the security processor, and waiting for the firmware datareturned by the security processor;

Step B5, reading, by the security processor, a preset length of datafrom the firmware-read address after the reading-firmware-datainstruction is received by the security processor, updating thefirmware-read address, decrypting the read data according to thesymmetric key to obtain decrypted data, and returning the decrypted datato the application processor; and

Step B6, writing, by the application processor, the decrypted data intothe firmware-updated destination address after the decrypted data isreceived by the application processor, and updating the firmware-updateddestination address; determining whether there exists unread data, ifyes, returning to Step B4; otherwise, the process of updatingapplication firmware is finished.

Preferably, the firmware information includes a firmware update flag;

determining a type of firmware which is to be updated according to thefirmware information specifically includes: determining a type of thefirmware update flag in the firmware information, the firmware which isto be updated is security firmware in the case that the firmware updateflag is a security firmware update flag; the firmware which is to beupdated is application firmware in the case that the firmware updateflag is an application firmware update flag.

Preferably, before the preset length of data is read by the securityprocessor from the firmware-read address, the process further includes:initializing a reading length;

Preferably, after the preset length of cipher is read by the securityprocessor from the firmware-read address, the method further includes:updating the reading length;

determining whether there exists unread data specifically includes:determining, by the security processor, whether the reading length is apreset value, if yes, there isn't unread data; otherwise, there existsunread data;

initializing the reading length specifically is: initializing thereading length, so as to the initialized reading length equals a lengthof a second cipher in the firmware data which is cached in the firmwarebuffer;

updating the reading length specifically is: updating the reading lengthas a length obtained by subtracting a preset length from a current valueof the reading length; and

the preset value specifically is 0.

Preferably, initializing the firmware-read address is: initializing thefirmware-read address as an initial address of the second cipher in thefirmware data which is cached in the firmware buffer;

updating the firmware-read address specifically is: updating thefirmware-read address as an address obtained by adding the preset lengthof offset to the current address.

Preferably, initializing, by the security processor, thefirmware-updated destination address is: the security processinitializing the firmware-updated destination address as a presetaddress in the security firmware storage area;

updating, by the security processor, the firmware-updated destinationaddress specifically is: the security processor updating thefirmware-updated destination address as the address obtained by adding apreset length of offset to the current address.

Preferably, initializing, by the application processor, thefirmware-updated destination address is: the application processorinitializing the firmware-updated destination address as a presetaddress in the application firmware storage area;

updating, by the application processor, the firmware-updated destinationaddress specifically is: the application processor updating thefirmware-updated destination address as an address obtained by addingthe preset length of offset to the current address.

Preferably, when the security processor determines that there is nounread data in Step A3, the step further includes: erasing the firmwarebuffer.

Preferably, when the application processor determines that there is nounread data in Step B6, the step further includes:

Step B7, sending, by the application processor, an instruction thatreading firmware is finished to the security processor, waiting for anoperation response returned from the security process;

Step B8, erasing, by the security processor, the firmware buffer afterthe instruction that reading firmware is finished is received by thesecurity processor, and returning an operation response to theapplication processor;

updating the application firmware is finished after the operationresponse returned from the security processor is received by theapplication processor.

Preferably, before the security terminal checks the firmware informationcached in the firmware buffer, the process further includes downloadingfirmware, which includes:

Step C1, sending, by an upper computer, an instruction for downloadingto the security processor via the application processor;

Step C2, erasing, by the security processor, the firmware buffer afterthe instruction for downloading is received by the security processor,storing firmware information in the instruction for downloading into thefirmware buffer, and returning a first operation response to the uppercomputer via the application processor;

Step C3, checking, by the upper computer, the first operation responseafter the first operation response is received by the upper computer,sub-packaging and sending the firmware via the application processor tothe security processor in the case that the first operation response isthat the operation is successful; prompting that the information haserror in the case that the first operation response includes errorinformation, and the process of downloading firmware terminating;

Step C4, writing, by the security processor, firmware data in firmwaredata packages into the firmware buffer after the firmware data packagesis received by the security processor, and sending a second operationresponse to the upper computer via the application processor;

Step C5, checking, by the upper computer, the second operation responseafter the second operation response is received, sending andownloading-finished instruction to the security processor via theapplication processor in the case that the second operation response isthat the operation is successful; prompting that the information haserror in the case that the second operation response includes errorinformation, the process of downloading firmware terminating;

Step C6, determining, by the security processor, whether a firmware datapackage is included in the downloading-finished instruction after thedownloading-finished instruction is received by the security processor,if yes, writing the firmware data in the firmware data package into thefirmware buffer, and executing Step C7; otherwise, executing Step C7directly;

Step C7, determining, by the security processor, whether the firmwareinformation cached in the firmware buffer is legitimate, if yes,executing Step C8; otherwise, executing Step C10;

Step C8, determining, by the security processor, whether the firmwaredata cached in the firmware buffer is legitimate according to thefirmware information cached in the firmware buffer, if yes, executingStep C9; otherwise, executing Step C10;

Step C9, decrypting, by the security processor, a first cipher in thefirmware data cached in firmware buffer to obtain a decrypted result,obtaining a hash value of a second cipher in the decrypted result;performing hash calculation on cipher in the firmware data cached in thefirmware buffer to obtain a hash value of the second cipher, determiningwhether the hash value of the second cipher obtained from the decryptedresult is same as the hash value of the second cipher obtained from thehash calculation, if the hash values are different from each other,erasing the firmware buffer and executing Step C10; if the hash valuesare same, executing Step C10 directly;

Step C10, returning, by the security processor, a third operationresponse to the upper computer via the application processor; and

Step C11, checking, by the upper computer, the third operation responseafter the third operation response is received by the upper computer,the firmware is downloaded successfully in the case that the thirdoperation response is that the operation is successful; prompting thatthe information includes error in the case that the third operationresponse includes error information, the firmware is unsuccessfullydownloaded; or,

downloading firmware includes:

Step D1, sending, by the application processor, arequest-for-updating-firmware instruction to a server, waiting for theinstruction for downloading sent by the server;

Step D2, sending, by the server, a corresponding instruction fordownloading, via the application processor, to the security processoraccording to information of firmware type in therequest-for-updating-firmware instruction after therequest-for-updating-firmware instruction is received by the server;

Step D3, erasing, by the security processor, the firmware buffer afterthe instruction for downloading is received by the security processor,storing firmware information in the instruction for downloading into thefirmware buffer, and returning the first operation response to theserver via the application processor;

Step D4, checking, by the server, the first operation response after thefirst operation response is received by the server, sub-packaging thefirmware and sending a sub-packaged firmware to the security processorvia the application processor in the case that the first operationresponse is that the operation is successful; prompting that theinformation has error in the case that the first operation response haserror information, and the process of downloading firmware terminating;

Step D5, writing, by the security processor, firmware data in firmwaredata packages into the firmware buffer after the firmware data packagesare received, returning a second operation response to the server viathe application processor;

Step D6, checking, by the server, the second operation response afterthe second operation response is received by the server, sending adownloading-finished instruction to the security processor via theapplication processor in the case that the second operation response isthat the operation is successful; prompting that the information haserror in the case that the second operation response includes errorinformation, and the process of downloading firmware terminating;

Step D7, determining, by the security processor, whether a firmware datapackage is included in the downloading-finished instruction after thedownloading-finished instruction is received by the security processor,if yes, writing the firmware data in the firmware data package into thefirmware buffer, and executing Step D8; otherwise, executing Step D8directly;

Step D8, determining, by the security processor, whether the firmwareinformation cached in the firmware buffer is legitimate, if yes,executing Step D9; if no, executing Step D11;

Step D9, determining, by the security processor, whether the firmwaredata cached in the firmware buffer is legitimate according to thefirmware information cached in the firmware buffer, if yes, executingStep S10; if no, executing Step D11;

Step D10, decrypting, by the security processor, a first cipher in thefirmware data cached in the firmware buffer to obtain a decryptedresult, obtaining a hash value of a second cipher from the decryptedresult, performing a hash calculation on a second cipher in the firmwaredata cached in the firmware buffer to obtain a hash value of the secondcipher, determining whether the hash value of the second cipher obtainedfrom the decrypted result is same as the hash value of the second cipherobtained via the hash calculation, erasing the firmware buffer andexecuting Step D11 if the hash values are different from each other;executing Step D11 directly if the hash values are just the same as eachother;

Step D11, returning, by the security processor, a third operationresponse to the server via the application processor; and

Step D12, checking, by the server, a third operation response after thethird operation response is received by the server, downloading firmwareis successful in the case that the third operation response is that theoperation is successful; prompting that the information has error in thecase that the third operation response has error information, anddownloading firmware has failed.

Preferably, the firmware information includes fixed data;

determining, by the security processor, whether firmware informationcached in the firmware buffer is legitimate specifically includes:determining, by the security processor, the fixed data in the firmwareinformation cached in the firmware buffer is preset data, if yes, thefirmware information cached in the firmware buffer is legitimate;otherwise, the firmware information cached in the firmware buffer isillegitimate;

Preferably, the firmware information includes a length of firmware data;

determining, by the security processor, whether the firmware data cachedin the firmware buffer is legitimate according to the firmwareinformation cached in the firmware buffer specifically includes:determining, by the security processor, whether the length of firmwaredata in the firmware information cached in the firmware buffer is sameas the length of firmware data cached in the firmware buffer, if yes,the firmware data cached in the firmware buffer is legitimate;otherwise, the firmware data cached in the firmware buffer is notlegitimate.

Preferably, after the security processor erases the security firmwarestorage area, the process further includes: copying the firmwareinformation cached in the firmware buffer into the security firmwarestorage area;

after the application processor erases the application firmware storagearea, the process further includes: copying the firmware informationcached in the firmware buffer into the application firmware storagearea.

Preferably, before Step D1, the process further includes:

Step E1, sending, by the application processor, areading-firmware-version-information instruction to the securityprocessor, and waiting for version information of firmware returned fromthe security processor;

Step E2, obtaining, by the security processor, version information ofsecurity firmware from the security firmware information stored in thesecurity firmware storage area after thereading-firmware-version-information instruction is received by thesecurity processor, obtaining version information of applicationfirmware from the application firmware information stored in theapplication firmware storage area, and then returning the versioninformation of security firmware and the version information ofapplication firmware to the application processor;

Step E3, sending, by the application processor, anreading-latest-firmware-version-information instruction to the serverafter the version information of security firmware and the versioninformation of application firmware are received by the applicationprocessor, waiting for information of the latest firmware versionreturned by the server;

Step E4, sending, by the server, information of the latest securityfirmware version and information of the latest application firmwareversion to the application processor after thereading-latest-firmware-version-information instruction is received bythe server; and

Step E5, comparing, by the application processor, the information of thelatest security firmware version and the information of the latestapplication firmware version sent by the server with the versioninformation of security firmware and the version information ofapplication firmware returned from the security processor respectively,determining whether the firmware need to be updated, if yes, executingStep D1; otherwise, downloading of firmware terminating;

Preferably, sending, by the server, a corresponding instruction fordownloading to the security processor via the application processoraccording to the information of firmware type in therequest-for-updating-firmware instruction includes:

sending, by the server, the instruction for downloading which includesfirmware information of a security firmware update flag and the versioninformation of security firmware to the security processor via theapplication processor in the case that the firmware is the securityfirmware;

sending, by the server, the instruction for downloading which includesfirmware information of an application firmware update flag and theversion information of application firmware to the security processorvia the application processor in the case that the firmware is theapplication firmware.

According to the present invention, a security terminal has anapplication processor and a security processor which has not aninterface connecting to outside; thus, the security processor cannot beinvited directly, a firmware can be downloaded in the security processoronly via the application processor, and the security processor takespart both in a process of updating a security firmware and a process ofupdating an application firmware, in this way, the firmware is protectedfrom being intercepted, copied, interpolated, damaged or simulated inthe process of updating.

BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS

The embodiments of the present invention or technical solutions in priorart are further described more clearly and completely with the drawingsin the embodiments of the present invention. Obviously, the embodimentsherein are just a few embodiments of the present invention, and when itcomes to those skilled in the art, other drawings can be obtained bythem without any inventive work.

FIG. 1 illustrates a flow diagram of downloading firmware in a methodfor updating firmware in a double-chip-schemed security terminalaccording to Embodiment 1 of the present invention;

FIG. 2 illustrates a flow diagram of updating security firmware in themethod for updating firmware in a double-chip-schemed security terminalaccording to Embodiment 1 of the present invention;

FIG. 3 illustrates a flow diagram of updating application firmware inthe method for updating firmware in a double-chip-schemed securityterminal according to Embodiment 1 of the present invention;

FIG. 4 and FIG. 5 illustrate a flow diagram of downloading firmware in amethod for updating firmware in a double-chip-schemed security terminalaccording to Embodiment 2 of the present invention;

FIG. 6 illustrates a flow diagram of updating security firmware in themethod for updating firmware in a double-chip-schemed security terminalaccording to Embodiment 2 of the present invention;

FIG. 7 illustrates a flow diagram of updating application firmware inthe method for updating firmware in a double-chip-schemed securityterminal according to Embodiment 2 of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The technical solution in the Embodiments of the present invention isfurther described more clearly and completely with the drawings in theEmbodiments of the present invention. Apparently, Embodiments describedherein are just a few Embodiments of the present invention. On the basisof Embodiments of the invention, all other related Embodiments made bythose skilled in the art without any inventive work belong to the scopeof the invention.

An application processor and a security processor are set in a securityterminal in the present invention, and the security processor does nothave interface for outside, Embodiment 1 provides a method for updatinglocally, and Embodiment 2 provides a method for updating remotely.

Embodiment 1

The present invention provides a method for updating firmware in adouble-chip-schemed security terminal, the method includes a process ofdownloading firmware and a process of updating firmware, in which, theprocess of downloading firmware applies for downloading of applicationfirmware and downloading of security firmware; the process of updatingfirmware includes updating of application firmware and updating ofsecurity firmware.

As shown in FIG. 1, the process of downloading firmware specificallyincludes:

Step 101, an upper computer sends an instruction for downloading to anapplication processor;

in the present Embodiment 1, the upper computer sends the instructionfor downloading including firmware information to the applicationprocessor, in which, the firmware information includes: fixed data,length of firmware data and a firmware update flag, the firmware updateflag specifically includes an application firmware update flag and asecurity firmware update flag;

Step 102, the application processor sends the instruction fordownloading to the security processor after the instruction fordownloading is received by the application processor;

Step 103, the security processor erases a firmware buffer after theinstruction for downloading is received by the security processor, andstores firmware information in the instruction for downloading into thefirmware buffer;

Step 104, the security processor returns a first operation response tothe application processor;

in Embodiment 1, the first operation response that the operation issuccessful is returned to the application processor in the case that thefirmware buffer is successfully erased and the firmware information issuccessfully saved into the firmware buffer by the security processor;otherwise, the first operation response including error information isreturned to the application processor;

Step 105, the application processor returns the first operation responseto the upper computer after the first operation response is received bythe application processor;

Step 106, the upper computer checks the first operation response afterthe first operation response is received, execute Step 107 in the casethat the first operation response is that the operation is successful;prompt that information has error in the case that the first operationresponse includes error information, the process of downloading firmwareterminates;

Step 107, the upper computer sub-packages the firmware and thesub-packaged firmware is downloaded into the application processor;

in Embodiment 1, the firmware is sub-packaged to obtain a firmware datapackage, the firmware data package includes the firmware data, adestination address and the length of firmware data, in which, thefirmware data is composed by a first cipher and a second cipher; thefirst cipher is obtained by using a preset private key to encrypt asymmetric key and a hash value of the second cipher, and the secondcipher is obtained by using a symmetric key to encrypt a firmwareplaintext and a hash value of the firmware plaintext;

Step 108, the application processor sends the firmware data package tothe security processor after the firmware data package is received bythe application processor;

Step 109, the security processor writes firmware data in the firmwaredata package into the firmware buffer according a destination addressand a length of firmware data in the firmware data package after thefirmware data is received by the security processor;

Step 110, the security processor returns a second operation response tothe application processor;

in the present Embodiment 1, the security processor returns the secondoperation response that the operation is successful to the applicationprocessor when the security processor writes the firmware data in thefirmware data package into the firmware buffer successfully, otherwise,the security processor returns the second operation response whichincludes error information to the application processor;

Step 111, the application processor returns the second operationresponse to the upper computer after the second operation response isreceived by the application processor;

Step 112, the upper computer checks the second operation response afterthe second operation response is received by the upper computer, executeStep 113 in the case that the second operation response is that theoperation is successful; while prompt that the information is error inthe case that the second operation response includes error information,and the process of downloading firmware comes to an end;

Step 113, the upper computer sends a downloading-finished instruction tothe application processor;

Step 114, the application processor sends the downloading-finishedinstruction to the security processor after the instruction is receivedby the application processor;

Step 115, the security processor determines whether thedownloading-finished instruction includes a firmware data package afterthe downloading-finished instruction is received, if yes, execute Step116; otherwise, execute Step 117;

Step 116, the security processor writes the firmware data in thefirmware data package into the firmware buffer according to thedestination address and the length of firmware data in the firmware datapackage, and executes Step 117;

Step 117, the security processor reads firmware information cached inthe firmware buffer, and determines whether the firmware information islegitimate, if yes, execute Step 118; otherwise, execute Step 121;

in the present Embodiment 1, the security processor determines whetherthe firmware information is legitimate by determining whether fixed datain the firmware information is preset data, the firmware information islegitimate in the case that the fixed data in the firmware informationis the preset data; the firmware information is illegitimate in the casethat the fixed data in the firmware information is not the preset data;

preferably, in Embodiment 1, the preset data is 46 54 43 58;

Step 118, the security processor determines whether the fixed data whichis downloaded is legitimate according to the firmware information, ifyes, execute Step 119; otherwise, execute Step 121;

in the present Embodiment 1, the firmware data which is downloaded isthe firmware data cached in the firmware buffer, the security processordetermines whether the firmware data downloaded is legitimate bydetermining whether the length of firmware data in the firmwareinformation is same as the length of firmware data cached in thefirmware buffer, the firmware data downloaded is legitimate in the casethat the length of firmware data in the firmware information is same asthe length of firmware data cached in the firmware buffer; the firmwaredata is illegitimate in the case that the length of firmware data in thefirmware information is different from the length of firmware datacached in the firmware buffer;

Step 119, the security processor decrypts the first cipher in thefirmware data according to a preset public key to obtain a decryptedresult, obtains a hash value of the second cipher in the decryptedresult, performs a hash calculation on the second cipher in the firmwaredata to obtain a hash value of the second cipher;

Step 120, the security processor determines whether the hash value ofthe second cipher in the decrypted result is same as the hash value ofthe second cipher obtained by calculating, if yes, execute Step 122;otherwise, execute Step 121;

Step 121, the security processor erases the firmware buffer, andexecutes Step 122;

Step 122, the security processor returns a third operation response tothe application processor;

in the present Embodiment 1, the security processor returns the thirdoperation response that the operation is successful to the applicationprocessor in the case that the security processor determines that thefirmware data in the firmware buffer is correct; otherwise, the securityprocessor returns the third operation response which includes errorinformation;

Step 123, the application processor returns the third operation responseto the upper computer after the third operation response is received bythe application processor;

Step 124, the upper computer checks the third operation response afterthe third operation response is received, the process of downloadingfirmware is finished in the case that the third operation response isthe operation is successful; while prompt the information is error inthe case that the third operation response includes error information,and the process of downloading firmware comes to an end;

in the present Embodiment 1, the security terminal restarts after theprocess of downloading firmware comes to an end, subsequently, thesecurity processor determines a firmware update flag in the firmwareinformation cached in the firmware buffer, if the firmware update flagis a security firmware update flag, the security firmware is updated; ifthe firmware update flag is an application firmware update flag, waitsfor an instruction for reading update state of the application firmwareread by the application processor, returns a response that theapplication firmware needs to be updated to the application processor,and then the application firmware is updated.

As shown in FIG. 2, the process of updating the security firmwarespecifically includes:

Step 201, the security processor erases the firmware storage area;

Step 202, the security processor decrypts the first cipher in thefirmware data cached in the firmware buffer according to the presetpublic key to obtain a decrypted result, obtains a symmetric key fromthe decrypted result;

Step 203, the security processor initializes a reading-firmware addressas an initial address of the second cipher in the firmware data cachedin the firmware buffer, initializes a reading length as the length ofsecond cipher in the firmware data cached in the firmware buffer, andinitializes a updating-firmware destination address as a preset addressin the security firmware storage area;

in the present Embodiment 1, the preset address in the security firmwarestorage area may be any address behind firmware information stored inthe security firmware storage area;

preferably, in Step 203, the updating-firmware destination address isinitialized as an address, offset of which equals the length of thefirmware information stored in the security firmware storage area;

Step 204, the security processor reads data of a preset length from thefirmware-read address;

Step 205, the security processor decrypts the read data according to theobtained symmetric key;

Step 206, the security processor writes the data obtained by decryptinginto the firmware-updated destination address;

Step 207, the security processor updates the firmware-read address as anaddress obtained by the current firmware-read address plus an offset ofa preset length, updates the reading length as a length obtained by thecurrent reading length minus a preset length, and updates thefirmware-updated destination address as an address obtained by thecurrent firmware-updated destination address plus an offset of presetlength;

Step 208, the security processor determines whether there exists unreaddata according to the reading length, if yes, return to Step 204;otherwise, execute Step 209;

in the present Embodiment 1, the security processor determines whetherthere exists unread data by determining whether the reading length islarger than 0, there exists unread data if the reading length is largerthan 0; there is not unread data if the reading length is not largerthan 0;

Step 209, the security processor erases the firmware buffer, the processof updating security firmware is finished.

As shown in FIG. 3, the process of updating application firmwarespecifically includes:

Step 301, the application processor erases the application firmwarestorage area, sends a reading-firmware-information instruction, and thenwaits for firmware information returned by the security processor;

Step 302, the security processor decrypts the first cipher in thefirmware data cached in the firmware buffer according to the presetpublic key after the reading-firmware-information instruction isreceived to obtain a decrypted result, obtains a symmetric key from thedecrypted result, and initializes the firmware-read address as aninitial address of the second cipher in the firmware data cached in thefirmware buffer;

Step 303, the security processor returns the firmware information cachedin the firmware buffer to the application processor;

Step 304, the application processor initializes the firmware-updateddestination address as a preset address in the application firmwarestorage area after the firmware information is received by theapplication processor, obtains the length of firmware data in thefirmware information, calculates the length of the second cipher in thefirmware data according to the length of firmware data, and initializesthe reading length as the length of second cipher in the firmware data;

specifically, calculating the length of the second cipher in thefirmware data according to the length of firmware data includes: obtaina difference of the length of firmware and the length of the firstcipher in the firmware data to obtain the length of the second cipher inthe firmware data, in which, the length of the first length equals thelength of the preset public key;

preferably, in Embodiment 1, the length of the preset public key is 256bytes;

Step 305, the application processor sends a reading-firmware-datainstruction to the security processor, and waits for firmware datareturned from the security processor;

Step 306, the security processor reads data of preset length from thefirmware-read address after the reading-firmware-data instruction isreceived by the security processor, updates the firmware-read address asan address which is obtained by the current firmware-read address plusan offset of preset length, and decrypts the read data by using theobtained symmetric key;

Step 307, the security processor returns data obtained by decrypting tothe application processor;

Step 308, the application processor writes received data into thefirmware-updated destination address after the data obtained bydecrypting is received by the application processor, updates the readinglength as the length obtained by the current reading length minus thepreset length, and updates the firmware-updated destination address asan address obtained by the current address plus an offset of presetlength;

Step 309, the application processor determines whether there existsunread data according to the reading length, if yes, return to Step 305;otherwise, execute Step 310;

in Embodiment 1, the application processor determines whether thereexists unread data by determining whether the reading length is largerthan 0, there exists unread data if the reading length is larger than 0;there is not unread data if the reading length is not larger than 0;

Step 310, the application processor sends an instruction that readingfirmware is finished to the security processor, and waits for anoperation response returned from the security processor;

Step 311, the security processor erases the firmware buffer after theinstruction that reading firmware is finished is received by thesecurity processor;

Step 312, the security processor returns the operation response to theapplication processor;

Step 313, the process of updating application firmware is finished afterthe operation response returned from the security processor is receivedby the application processor.

Furthermore, in Embodiment 1, after the instruction is received by thesecurity processor, the process further includes: whether format andcontent of the instruction is correct is checked, whether theinstruction and a message authentication code in an authenticationinstruction are supported is determined, error code is returned to theapplication processor in the case that the format or content is notcorrect, the instruction is not supported and the message authenticationcode fails; for instance, 6D00 is returned to the application processorif the instruction is not supported.

In the method for updating the firmware provided by the presentinvention, the security terminal includes an application processor and asecurity processor, and the upper computer accesses the securityprocessor only via the application processor, and the firmware which isto be updated is downloaded in the security process via the applicationprocessor in a form of cipher, the security of firmware is improved inthe process of updating firmware because the security processor takespart in the process of updating application firmware or securityfirmware, thus, firmware is protect from being intercepted, copied,interpolated or damaged.

Embodiment 2

Embodiment 2 of the present invention provides a method for updatingfirmware in a double-chip-schemed security terminal, the method includesa process of downloading firmware and a process of updating firmware, inwhich the process of downloading firmware applies for downloadingapplication firmware and downloading security firmware; the process ofupdating firmware includes updating application firmware and updatingsecurity firmware.

As shown in FIG. 4 and FIG. 5, the process of downloading firmwarespecifically includes:

Step 401, the application processor sends areading-firmware-version-information instruction to the securityprocessor;

Step 402, the security processor reads security firmware informationfrom a security firmware storage area and reads application firmwareinformation from an application firmware storage area respectively afterthe reading-firmware-version-information instruction is received by thesecurity processor;

Step 403, the security processor obtains version information of securityfirmware from the security firmware information, and obtains versioninformation of application firmware from the application firmwareinformation;

Step 404, the security processor returns the version information ofsecurity firmware and the version information of application firmware tothe application processor;

Step 405, the application processor receives and saves the versioninformation of security firmware and the version information ofapplication firmware returned from the security processor;

Step 406, the application process sends areading-latest-firmware-version-information instruction to a server;

Step 407, the server sends the information of the latest securityfirmware version and the information of the latest application firmwareversion to the application processor after thereading-latest-version-information instruction is received by theserver;

Step 408, the application processor compares the information of thelatest security firmware version and the information of the latestapplication firmware version with the version information of securityfirmware and the version information of application firmware which arereturned from the security processor respectively after the informationof the latest application firmware version and the version informationof security firmware are received by the application processor,determines whether the firmware need to be updated, if yes, execute Step409; otherwise, the process of downloading firmware comes to an end;

in Embodiment 2, the application processor determines whether theinformation of the latest security firmware version is the same as theversion information of security firmware returned from the securityprocessor and whether the information of the latest application firmwareversion is the same as the version information of application firmwarereturned by the security processor respectively, if yes, the firmwareneed not to be updated; otherwise, the firmware need to be updated;

Step 409, the application processor sends arequest-for-updating-firmware instruction to the server, and wait for aninstruction for downloading sent by the server;

in the present Embodiment 2, the application processor sends afirmware-updated instruction which includes information of firmware typeto the server, in which, the information of firmware type is securityfirmware or application firmware;

in the present Embodiment 2, when both the security firmware and theapplication firmware need to be updated, the application processorfirstly requests the server for updating firmware, priority of which ishigher, according to a preset priority; for example, the priority ofsecurity firmware is preset to be higher than the priority ofapplication firmware, when that both the security firmware and theapplication firmware need to be updated is determined in Step 408, theapplication processor requests the server for updating the securityfirmware firstly;

Step 410, the server sends a corresponding instruction for downloadingto the application processor according to the information of firmwaretype in the request-for-updating-firmware instruction after therequest-for-updating-firmware instruction is received by the server;

in the present Embodiment 2, the server sends the downloadinginstruction including the firmware information to the applicationprocessor, in which, the firmware information includes fixed data, alength of firmware data, a firmware-updated flag and information offirmware version, in which, the firmware-updated flag specificallyincludes an application-firmware-updated flag and asecurity-firmware-updated flag, and the information of firmware versionspecifically includes information of security firmware version andinformation of application firmware version;

specifically, the server sends the downloading instruction whichincludes the firmware information including security-firmware-updatedflag and information of security firmware version to the applicationprocessor in the case that the information of firmware type in therequest-for-updating-firmware instruction is security firmware; theserver sends the downloading instruction which includes the firmwareinformation including an application-firmware-updated flag and theinformation of application firmware version to the application processorin the case that the information of firmware type in therequest-for-updating-firmware instruction is the application firmware;

Step 411, the application processor sends the downloading instruction tothe security processor after the instruction for downloading is receivedby the application processor;

Step 412, the security processor erases the firmware buffer after theinstruction for downloading is received by the security processor, andstores the firmware information in the instruction for downloading intothe firmware buffer;

Step 413, the security processor returns a first operation response tothe application processor;

in the present Embodiment 2, the security processor returns the firstoperation response that the operation is successful to the applicationprocessor when the firmware buffer is erased and the firmwareinformation is stored into the firmware buffer successfully by theapplication processor.

Step 414, the application processor returns the first operation responseto the server after the first operation response is received by theapplication processor;

Step 415, the server checks the first operation response after theresponse is received by the server, execute Step 416 in the case thatthe operation is successful; prompt the information has error in thecase that the first operation response includes error information, andthe process of downloading firmware comes to an end;

Step 416, the server sub-packages and downloads the firmware into theapplication processor;

in the present Embodiment 2, the firmware is sub-packaged to obtain afirmware data package which further includes a destination address and alength of firmware data except for firmware data, in which, the firmwaredata is composed by the first cipher and the second cipher, the firstcipher is obtained by using a preset private key to encrypt a symmetrickey and a hash value of the second cipher, the second cipher is obtainedby using the symmetric key to encrypt firmware plaintext and a hashvalue of firmware plaintext;

Step 417, the application processor sends the firmware data package tothe security processor after the firmware data package is received bythe application processor;

Step 418, the security processor writes firmware data in the firmwaredata package into the firmware buffer according the destination addressand the length of firmware data in the firmware data package after thefirmware data is received by the security processor;

Step 419, the security processor returns a second operation response tothe application processor;

in the present Embodiment 2, the security processor returns the secondoperation response that the operation is successful to the applicationprocessor in the case that the security processor writes the firmwaredata in the firmware data package into the firmware buffer successfully;otherwise, the security processor returns the second operation responseincluding error information to the application processor.

Step 420, the application processor returns the second operationresponse to the server after the second operation response is receivedby the application processor;

Step 421, the server checks the second operation response after itreceives the second operation response, execute Step 422 in the casethat the second operation response is that the operation is successful;prompt that the information includes error in the case that the secondoperation response includes error, and the process of downloadingfirmware come to an end;

Step 422, the server sends an downloading-finished instruction to theapplication processor;

Step 423, the application processor sends the downloading-finishedinstruction to the security processor after the downloading-finishedinstruction is received by the application processor;

Step 424, the security processor determines whether thedownloading-finished instruction includes the firmware data packageafter the instruction is received by the security processor, if yes,execute Step 425; otherwise, execute Step 426;

Step 425, the security processor writes the firmware data in thefirmware data package into the firmware buffer according to thedestination address and the length of firmware data in the firmware datapackage, and execute Step 426;

Step 426, the security processor reads the firmware information cachedin the firmware buffer, and determines whether the firmware informationis legitimate, if yes, execute Step 427; otherwise, execute Step 430;

in the present Embodiment 2, the security processor determines whetherthe firmware information is legitimate by determining whether thefirmware data in the firmware information is preset data, the firmwareinformation is legitimate in the case that the firmware data in thefirmware information is the preset data; the firmware information isillegitimate in the case that the firmware data in the firmwareinformation is not the preset data;

preferably, in Embodiment 2, the preset data is 46 54 43 58;

Step 427, the security processor determines whether downloaded firmwaredata is legitimate according to the firmware information, if yes,execute Step 428; otherwise, execute Step 430;

in the present Embodiment 2, the downloaded firmware data is thefirmware data cached in the firmware buffer, the security processordetermines whether the downloaded firmware data is legitimate bydetermining whether the length of firmware data in the firmwareinformation is the same as the length of firmware data cached in thefirmware buffer, the firmware data is legitimate if the length offirmware data in the firmware information is same as the length offirmware data cached in the firmware buffer; otherwise, the firmwaredata is not legitimate;

Step 428, the security processor decrypts the first cipher in thefirmware data according to the preset public key to obtain a decryptedresult, obtains a hash value of the second cipher from the decryptedresult, performs hash calculation on the second cipher in the firmwaredata to obtain a hash value of the second cipher;

Step 429, the security processor determines whether the hash value ofthe second cipher in the decrypted result is same as the hash value ofthe second cipher obtained by calculating, if yes, execute Step 431;otherwise, execute Step 430;

Step 430, the security processor erases the firmware buffer, and Step431 is executed;

Step 431, the security processor returns a third operation response tothe application processor;

in Embodiment 2, the security processor returns a third operationresponse that the operation is successful in the case that the firmwaredata in the firmware buffer is correct; otherwise, the securityprocessor returns a third operation response including error informationto the application processor;

Step 432, the application processor returns the third operation responseto the server after the third operation response is received by theapplication processor;

Step 433, the server checks the third operation response after the thirdoperation response is received by the server, the process of downloadingfirmware is finished if the third operation response is the operation issuccessful; prompt the information includes error if the third operationresponse includes error, and the process of downloading come to an end.

In Embodiment 2, after the firmware is downloaded, the security terminalis restarted, subsequently, the security processor checks thefirmware-updated flag in the firmware information cached in the firmwarebuffer, the security firmware is updated if the flag is asecurity-firmware-updated flag; areading-application-firmware-update-state instruction sent by theapplication processor is waited for, and the application firmware isupdated after the application processor returns a response that theapplication firmware need to be updated if the flag is anapplication-firmware-updated flag.

As shown in FIG. 6, the process of updating the security firmwarespecifically includes:

Step 501, the application processor erases the security firmware storagearea;

Step 502, the security processor copies the firmware information in thefirmware buffer into the security firmware storage area;

Step 503, the security processor decrypts the first cipher in thefirmware data cached in the firmware buffer according to the presetpublic key to obtain a decrypted result, and obtains a symmetric keyfrom the decrypted result;

Step 504, the security processor initializes a firmware-read address asan initial address of the second cipher in the firmware data cached inthe firmware buffer, initializes a reading length as the length of thesecond cipher in the firmware data cached in the firmware buffer, andinitializes a firmware-updated destination address as a preset addressin the security firmware storage area;

in the present Embodiment 2, the preset address in the security firmwarestorage area may be any address behind the firmware information storedin the security firmware storage area;

preferably, in Step 504, initializing the firmware-updated destinationaddress as an address, an offset of which equals the length of thefirmware information stored in the security firmware storage area;

Step 505, the security processor reads a preset length of data from thefirmware-read address;

Step 506, the security processor decrypts the read data according to theobtained symmetric key;

Step 507, the security processor writes data obtained by decrypting intothe firmware-updated destination address;

Step 508, the security processor updates the firmware-read address as anaddress which is obtained by adding a preset length of offset to thecurrent firmware-read address, updates reading length as a length whichis obtained by subtracting a preset length from the current readinglength; updates the firmware-updated destination address as an addressobtained by adding a preset length of offset to the currentfirmware-updated destination address;

Step 509, the security processor determines whether there exists unreaddata according to the reading length, if yes, return to Step 505;otherwise, execute Step 510;

in Embodiment 2, the security processor determines whether there existsunread data by determining whether the reading length is longer than 0,there exists unread data if the reading length is longer than 0; thereis not unread data if the reading length is not longer than 0;

Step 510, the security processor erases the firmware buffer, the processof updating the security firmware is finished.

As shown in FIG. 7, the process of updating the application firmwarespecifically includes:

Step 601, the application processor erases the application firmwarestorage area, sends the reading-firmware-information instruction to thesecurity processor, and waits for firmware information returned from thesecurity processor;

Step 602, the security processor decrypts the first cipher in thefirmware data cached in the firmware buffer according to a preset publickey after the reading-firmware-information instruction is received bythe security processor;

Step 603, the security processor returns the firmware information cachedin the firmware buffer to the application processor;

Step 604, the application processor stores the firmware information intothe application firmware storage area after the firmware information isreceived, initializes the firmware-updated destination address as apreset address in the application firmware storage area, and obtains thelength of firmware data in the firmware information, obtains the lengthof the second cipher in the firmware data by calculating according tothe length of firmware data, and initializes the reading length as thelength of the second cipher in the firmware data;

specifically, the preset address in the application firmware storagearea may be any address in the application firmware storage area;

preferably, in Step 604, the firmware-updated destination address isinitialized as an address, offset of which equals o, in the applicationfirmware storage area;

specifically, obtaining the length of the second cipher in the firmwaredata by calculating according to the length of firmware data includes:figuring out a difference between a length of firmware and the length offirst cipher in the firmware data to obtain a length of the secondcipher in the firmware data, in which, the length of the first cipherequals the length of preset public key;

preferably, in Embodiment 2, the length of the preset public key is 256bytes;

Step 605, the application processor sends the reading-firmware-datainstruction to the security processor, and waits for the firmware datareturned from the security processor;

Step 606, the security processor reads the preset length of data fromthe firmware-read address after the reading-firmware-data instruction isreceived by the security processor, updates the firmware-read address asan address obtained by adding a preset length of offset to the currentfirmware-read address, and decrypts the read data by using the obtainedsymmetric key;

Step 607, the security processor returns the data obtained by decryptingto the application processor;

Step 608, the application processor writes received data into thefirmware-updated destination address after the data obtained bydecrypting which is returned by the security processor is received bythe application processor, updates the reading length as a lengthobtained by subtracting a preset length from the current reading length,and updates the firmware-updated destination address as an addressobtained by adding a preset length of offset to the currentfirmware-updated destination address;

Step 609, the application processor determines whether there existsunread data according to the reading length, if yes, return to Step 605;otherwise, execute Step 610;

in the present Embodiment 2, the application processor determineswhether there exists unread data by determining whether the readinglength is longer than 0, there exists unread data if the reading lengthis longer than 0; otherwise, there is not unread data;

Step 610, the application processor sends an instruction that readingfirmware is finished to the security processor, and wait for anoperation response returned by the security processor;

Step 611, the security processor erases the firmware buffer after theinstruction that reading firmware is finished;

Step 612, the security processor returns an operation response to theapplication processor;

Step 613, the process of updating the application firmware is finishedafter the operation response returned from the security processor isreceived by the application processor.

Furthermore, in Embodiment 2, after the instruction is received by thesecurity processor, the process includes: checking whether a format andcontent of the instruction is correct, and whether the instruction issupported, and check the information authentication code in theinstruction; an error code is returned to the application processor ifthe format or content is not correct, or the instruction is notsupported the information authentication code is not authenticatedunsuccessfully; for example, 6D 00 is returned to the applicationprocessor if the instruction is not supported.

In the method for updating firmware provided by the present invention,the security terminal includes an application processor and a securityprocessor, and the upper computer accesses the security processor onlyvia the application processor, and the firmware which is to be updatedis downloaded in the security process via the application processor in aform of cipher, the security of firmware is improved in the process ofupdating firmware because the security processor takes part in theprocess of updating application firmware or security firmware, thus,firmware is protect from being intercepted, copied, interpolated ordamaged or impersonating.

Embodiments above are only preferable embodiments, all changes andsubstitutes made by those skilled in the art belong to scope ofprotection of the present invention.

The invention claimed is:
 1. A method for updating a firmware in adouble-chip-schemed security terminal, wherein said method comprises:checking, by a security terminal, firmware information which is cachedin a firmware buffer, and determining a type of the firmware to beupdated according to the firmware information, updating a securityfirmware in the case that the firmware is the security firmware, whileupdating an application firmware in the case that the firmware is theapplication firmware; in which the security terminal comprises asecurity processor and an application processor, updating a securityfirmware comprises: Step A1, erasing, by the security processor, asecurity firmware storage area, decrypting a first cipher in firmwaredata cached in the firmware buffer so as to obtain a symmetric key, andinitializing a firmware-read address and a firmware-updated destinationaddress; Step A2, reading, by the security processor, a preset length ofdata from the firmware-read address, decrypting the read data accordingto the symmetric key so as to obtain decrypted data, writing thedecrypted data in the firmware-updated destination address, and updatingthe firmware-read address and the firmware-updated destination address;and Step A3, determining, by the security processor, whether thereexists any unread data, if yes, returning to Step A2; otherwise, endingthe updating security firmware; and updating an application firmwarecomprises: Step B1, erasing, by the application processor, anapplication firmware storage area, sending areading-firmware-information instruction to the security processor, andwaiting for firmware information returned from the security processor;Step B2, decrypting, by the security processor, the first cipher in thefirmware data cached in the firmware buffer so as to obtain a symmetrickey after the reading-firmware-information instruction is received bythe security processor, initializing the firmware-read address, andreturning the firmware information cached in the firmware buffer to theapplication processor; Step B3, initializing, by the applicationprocessor, the firmware-updated destination address after the firmwareinformation is received by the application process, and executing StepB4; Step B4, sending, by the application processor, areading-firmware-data instruction to the security processor, and waitingfor firmware data returned from the security processor; Step B5,reading, by the security processor, a preset length of data from thefirmware-read address after the reading-firmware-data instruction isreceived by the security processor, updating the firmware-read address,decrypting the read data according to the symmetric key, and returningdata obtained by decrypting, which is decrypted data, to the applicationprocessor; and Step B6, writing, by the application processor, thedecrypted data into the firmware-updated destination address after thedecrypted data is received by the application processor, updating thefirmware-updated destination address; and determining whether thereexists any unread data, if yes, returning to Step B4; otherwise, endingthe updating application firmware.
 2. The method as claimed in claim 1,wherein the firmware information comprises a firmware update flag;determining a type of firmware to be updated according to the firmwareinformation specifically comprising: determining a type of the firmwareupdate flag in the firmware information, the firmware to be updated is asecurity firmware in the case that the firmware update flag is asecurity firmware update flag; while the firmware to be updated is anapplication firmware in the case that the firmware update flag is anapplication firmware update flag.
 3. The method as claimed in claim 1,wherein, before the preset length of data is read by the securityprocessor from the firmware-read address, the method further comprises:initializing a reading length; after the preset length of cipher is readby the security processor from the firmware-read address, the methodfurther comprises: updating the reading length; and determining whetherthere exists any unread data specifically comprises: determining, by thesecurity processor, whether the reading length is a preset value, ifyes, there isn't any unread data; otherwise, there exists unread data.4. The method as claimed in claim 3, wherein, initializing the readinglength specifically comprises: initializing the reading length, so as tomake the initialized reading length equal a length of a second cipher inthe firmware data cached in the firmware buffer; updating the readinglength specifically comprises: updating the reading length as a lengthobtained by subtracting a preset length from a current value of thereading length; and the preset value specifically is
 0. 5. The method asclaimed in claim 1, wherein, initializing the firmware-read addressspecifically comprises: initializing the firmware-read address as aninitial address of the second cipher in the firmware data cached in thefirmware buffer; and updating the firmware-read address specificallycomprises: updating the firmware-read address as an address obtained byadding the preset length of offset to the current address.
 6. The methodas claimed in claim 1, wherein, initializing, by the security processor,the firmware-updated destination address specifically comprises:initializing, by the security processor, the firmware-updateddestination address as a preset address in the security firmware storagearea; updating, by the security processor, the firmware-updateddestination address specifically comprises: updating, by the securityprocessor, the firmware-updated destination address as an addressobtained by adding a preset length of offset to the current address. 7.The method as claimed in claim 1, wherein, initializing, by theapplication processor, the firmware-updated destination addressspecifically comprises: initializing, by the application processor, thefirmware-updated destination address as a preset address in theapplication firmware storage area; and updating, by the applicationprocessor, the firmware-updated destination address specificallycomprises: updating, by the application processor, the firmware-updateddestination address as an address obtained by adding the preset lengthof offset to the current address.
 8. The method as claimed in claim 1,wherein, in Step A3, when the security processor determines that thereis no unread data, the step further comprises: erasing the firmwarebuffer.
 9. The method as claimed in claim 1, wherein, in Step B6, whenthe application processor determines that there is no unread data, thestep further comprises: Step B7, sending, by the application processor,an instruction that reading firmware is finished to the securityprocessor, waiting for an operation response returned from the securityprocess; Step B8, erasing, by the security processor, the firmwarebuffer after the instruction that reading firmware is finished isreceived by the security processor, and returning an operation responseto the application processor; and updating the application firmware isfinished after the operation response returned from the securityprocessor is received by the application processor.
 10. The method asclaimed in claim 1, wherein, before the security terminal checks thefirmware information cached in the firmware buffer, the method furthercomprises: downloading a firmware, which comprises: Step C1, sending, byan upper computer, an instruction for starting to download to thesecurity processor via the application processor; Step C2, erasing, bythe security processor, the firmware buffer after the instruction forstarting to download is received by the security processor, storing afirmware information in the instruction for starting to download intothe firmware buffer, and returning a first operation response to theupper computer via the application processor; Step C3, checking, by theupper computer, the first operation response after the first operationresponse is received by the upper computer, sub-packaging and sendingthe firmware via the application processor to the security processor inthe case that the first operation response is that the operation issuccessful; while prompting that the information has error in the casethat the first operation response includes error information, andterminating a process of downloading firmware; Step C4, writing, by thesecurity processor, firmware data in firmware data package into thefirmware buffer after the firmware data packages are received by thesecurity processor, and returning a second operation response to theupper computer via the application processor; Step C5, checking, by theupper computer, the second operation response after the second operationresponse is received by the upper computer, sending adownloading-finished instruction to the security processor via theapplication processor in the case that the second operation response isthat the operation is successful; while prompting that the informationhas error in the case that the second operation response includes errorinformation, then terminating the downloading the firmware; Step C6,determining, by the security processor, whether a firmware data packageis included in the downloading-finished instruction after thedownloading-finished instruction is received by the security processor,if yes, writing the firmware data in the firmware data package into thefirmware buffer, and executing Step C7; otherwise, executing Step C7directly; Step C7, determining, by the security processor, whether thefirmware information cached in the firmware buffer is legitimate, ifyes, executing Step C8; otherwise, executing Step C10; Step C8,determining, by the security processor, whether the firmware data cachedin the firmware buffer is legitimate according to the firmwareinformation cached in the firmware buffer, if yes, executing Step C9;otherwise, executing Step C10; Step C9, decrypting, by the securityprocessor, a first cipher in the firmware data cached in firmware bufferso as to obtain a decrypted result, obtaining a hash value of a secondcipher in the decrypted result; performing a hash calculation on acipher in the firmware data cached in the firmware buffer so as toobtain a hash value of the second cipher, determining whether the hashvalue of the second cipher obtained from the decrypted result is justthe same as the hash value of the second cipher obtained from the hashcalculation, if no, erasing the firmware buffer, and executing Step C10;if yes, executing Step C10 directly; Step C10, returning, by thesecurity processor, a third operation response to the upper computer viathe application processor; and Step C11, checking, by the uppercomputer, the third operation response after the third operationresponse is received by the upper computer, in which the firmware isdownloaded successfully in the case that the third operation response isthat the operation is successful; while prompting that the informationincludes error in the case that the third operation response includeserror information, the firmware is unsuccessfully downloaded.
 11. Themethod as claimed in claim 1, wherein, the method further comprisesdownloading a firmware before the security terminal checks the firmwareinformation cached in the firmware buffer, in which, downloading thefirmware comprises: Step D1, sending, by the application processor, arequest-for-updating-firmware instruction to a server, and waiting foran instruction for starting to download sent from the server; Step D2,sending, by the server, the corresponding instruction for starting todownload via the application processor, to the security processoraccording to information of firmware type in therequest-for-updating-firmware instruction after therequest-for-updating-firmware instruction is received by the server;Step D3, erasing, by the security processor, the firmware buffer afterthe instruction for starting to download is received by the securityprocessor, saving firmware information in the instruction for startingto download into the firmware buffer, and returning the first operationresponse to the server via the application processor; Step D4, checking,by the server, the first operation response after the first operationresponse is received by the server, sub-packaging the firmware andsending a sub-packaged firmware to the security processor via theapplication processor in the case that the first operation response isthat the operation is successful; while prompting that the informationhas error in the case that the first operation response has errorinformation, and terminating the downloading the firmware; Step D5,writing, by the security processor, firmware data in firmware datapackages into the firmware buffer after the firmware data packages arereceived by the security processor, returning a second operationresponse to the server via the application processor; Step D6, checking,by the server, the second operation response after the second operationresponse is received by the server, sending a downloading-finishedinstruction to the security processor via the application processor inthe case that the second operation response is that the operation issuccessful; while prompting that the information has error in the casethat the second operation response includes error information, andterminating the downloading the firmware; Step D7, determining, by thesecurity processor, whether a firmware data package is included in thedownloading-finished instruction after the downloading-finishedinstruction is received by the security processor, if yes, writing thefirmware data in the firmware data package into the firmware buffer, andexecuting Step D8; otherwise, executing Step D8 directly; Step D8,determining, by the security processor, whether the firmware informationcached in the firmware buffer is legitimate, if yes, executing Step D9;if no, executing Step D11; Step D9, determining, by the securityprocessor, whether the firmware data cached in the firmware buffer islegitimate according to the firmware information cached in the firmwarebuffer, if yes, executing Step S10; if no, executing Step D11; Step D10,decrypting, by the security processor, a first cipher in the firmwaredata cached in the firmware buffer so as to obtain a decrypted result,obtaining a hash value of a second cipher from the decrypted result,performing a hash calculation on a second cipher in the firmware datacached in the firmware buffer so as to obtain a hash value of the secondcipher, determining whether the hash value of the second cipher obtainedfrom the decrypted result is just the same as the hash value of thesecond cipher obtained via the hash calculation, if no, erasing thefirmware buffer and executing Step D11; if yes, executing Step D11directly; Step D11, returning, by the security processor, a thirdoperation response to the server via the application processor; and StepD12, checking, by the server, the third operation response after thethird operation response is received by the server, in which downloadingfirmware is successful in the case that the third operation response isthat the operation is successful; while prompting that the informationhas error in the case that the third operation response has errorinformation, and downloading firmware is failed.
 12. The method asclaimed in claim 10, wherein, the firmware information includes fixeddata; determining, by the security processor, whether the firmwareinformation cached in the firmware buffer is legitimate specificallycomprising: determining, by the security processor, the fixed data inthe firmware information cached in the firmware buffer is preset data,if yes, determining that the firmware information cached in the firmwarebuffer is legitimate; otherwise, determining that the firmwareinformation cached in the firmware buffer is illegitimate.
 13. Themethod as claimed in claim 11, wherein, the firmware informationincludes fixed data; determining, by the security processor, whether thefirmware information cached in the firmware buffer is legitimatespecifically comprising: determining, by the security processor, thefixed data in the firmware information cached in the firmware buffer ispreset data, if yes, determining that the firmware information cached inthe firmware buffer is legitimate; otherwise, determining that thefirmware information cached in the firmware buffer is illegitimate. 14.The method as claimed in claim 10, wherein, the firmware informationcomprises the length of firmware data; determining, by the securityprocessor, whether the firmware data cached in the firmware buffer islegitimate according to the firmware information cached in the firmwarebuffer specifically comprising: determining, by the security processor,whether the length of firmware data in the firmware information cachedin the firmware buffer is just the same as the length of firmware datacached in the firmware buffer, if yes, determining that the firmwaredata cached in the firmware buffer is legitimate; otherwise, determiningthat the firmware data cached in the firmware buffer is not legitimate.15. The method as claimed in claim 11, wherein, the firmware informationcomprises the length of firmware data; determining, by the securityprocessor, whether the firmware data cached in the firmware buffer islegitimate according to the firmware information cached in the firmwarebuffer specifically comprising: determining, by the security processor,whether the length of firmware data in the firmware information cachedin the firmware buffer is just the same as the length of firmware datacached in the firmware buffer, if yes, determining that the firmwaredata cached in the firmware buffer is legitimate; otherwise, determiningthat the firmware data cached in the firmware buffer is not legitimate.16. The method as claimed in claim 11, wherein, after the securityprocessor erases the security firmware storage area, the method furthercomprises: copying the firmware information cached in the firmwarebuffer into the security firmware storage area; after the applicationprocessor erases the application firmware storage area, the methodfurther comprises: copying the firmware information cached in thefirmware buffer into the application firmware storage area.
 17. Themethod as claimed in claim 16, wherein, before Step D1, the methodfurther comprises: Step E1, sending, by the application processor, areading-firmware-version-information instruction to the securityprocessor, and waiting for version information of firmware returned fromthe security processor; Step E2, obtaining, by the security processor,version information of the security firmware from the security firmwareinformation stored in the security firmware storage area after thereading-firmware-version-information instruction is received by thesecurity processor, obtaining version information of applicationfirmware from the application firmware information stored in theapplication firmware storage area, and then returning the versioninformation of security firmware and the version information ofapplication firmware to the application processor; Step E3, sending, bythe application processor, a reading-latest-firmware-version-informationinstruction to the server after the version information of securityfirmware and the version information of application firmware arereceived by the application processor, and waiting for information ofthe latest firmware version returned from the server; Step E4, sending,by the server, information of the latest security firmware version andinformation of the latest application firmware version to theapplication processor after thereading-latest-firmware-version-information instruction is received bythe server; and Step E5, comparing, by the application processor, theinformation of the latest security firmware version and the informationof the latest application firmware version sent from the server with theversion information of the security firmware and the version informationof the application firmware returned from the security processorrespectively, determining whether the firmware need to be updated, ifyes, executing Step D1; otherwise, terminating downloading of thefirmware.
 18. The method as claimed in claim 11, wherein, sending, bythe server, a corresponding instruction for starting to download to thesecurity processor via the application processor according to theinformation of firmware type in the request-for-updating-firmwareinstruction specifically comprises: sending, by the server, theinstruction for starting to download which includes firmware informationof a security firmware update flag and the version information of thesecurity firmware to the security processor via the applicationprocessor in the case that the firmware is the security firmware; andsending, by the server, the instruction for starting to download whichincludes firmware information of an application firmware update flag andthe version information of the application firmware to the securityprocessor via the application processor in the case that the firmware isthe application firmware.